Managing Organizational Culture for Effective Internal ... · Chapter 2 Basics 2.1 Internal Control 2.1.1 Definition This chapter introduces both internal control and organizational
Post on 24-Sep-2020
1 Views
Preview:
Transcript
Contributions to Management Science
Managing Organizational Culture for Effective Internal Control
From Practice to Theory
Bearbeitet vonJan A. Pfister
1. Auflage 2011. Taschenbuch. xx, 245 S. PaperbackISBN 978 3 7908 2785 9
Format (B x L): 15,5 x 23,5 cmGewicht: 410 g
Wirtschaft > Betriebswirtschaft: Theorie & Allgemeines > Organisationstheorie, -soziologie und -psychologie
Zu Inhaltsverzeichnis
schnell und portofrei erhältlich bei
Die Online-Fachbuchhandlung beck-shop.de ist spezialisiert auf Fachbücher, insbesondere Recht, Steuern und Wirtschaft.Im Sortiment finden Sie alle Medien (Bücher, Zeitschriften, CDs, eBooks, etc.) aller Verlage. Ergänzt wird das Programmdurch Services wie Neuerscheinungsdienst oder Zusammenstellungen von Büchern zu Sonderpreisen. Der Shop führt mehr
als 8 Millionen Produkte.
Chapter 2
Basics
2.1 Internal Control
2.1.1 Definition
This chapter introduces both internal control and organizational culture in order to
provide a basic understanding for the two topics. Before addressing organizational
culture in the second part of this chapter, the focus is set on internal control. A wide
range of control concepts exist in the management accounting and control litera-
ture: strategic control, management control, internal control, and control systems, to
name just a few of the major themes. The variety of concepts, their different
purposes in closely related areas, and particularly the different interpretations
from the various authors, generate many overlaps between concepts.1 As a result,
differences in terminologies often cause miscommunication and misguided expec-
tations among the parties involved.2 To understand the reason for the variety of
definitions of internal control itself, the term will be embedded in its historical
evolution and divided into a focused and a comprehensive view of internal control.
In addition, internal control will be discussed and integrated with strategic control,
management control and control systems in order to provide a holistic understand-
ing of the fundamental role of internal control for any business. Spending adequate
time for defining internal control provides the basis for investigating the role of
organizational culture for internal control throughout this study.
1Merchant and Otley (2007) provide an overview of different control areas in their review of the
literature on control and accountability.2Additional misunderstandings on the term control are more linguistic in nature. For example,
while in the English language the term ‘control’ covers proactive (e.g., directive, preventive
controls) and reactive controls (e.g., detective and corrective controls), in the German language
the term ‘Kontrolle’ is usually understood only as reactive control (Ruud and Jenal, 2005, p. 456).
J. Pfister, Managing Organizational Culture for Effective Internal Control,Contributions to Management Science,
DOI: 10.1007/978-3-7908-2340-0_2, # Springer Physica‐Verlag Berlin Heidelberg 2009
15
2.1.1.1 Brief Historical Sketch
During the last 15-20 years, a shift in focus from the accounting and finance
orientation of internal control to a much broader governance and business pers-
pective has taken place.3 The term internal control developed in the accounting
and auditing discipline, and was traditionally interpreted as “accounting controls”,
limited to the system that auditors test as part of their assurance on the reliability of
financial reporting.4 Therefore, internal control was often discussed in the context of
the external auditor’s work. While the detection of fraud as an audit objective has a
long history, internal control (as a subject) was not recognized until the twentieth
century.5 According to Brown (1962, p. 696), the difference between no recognition
and slight recognition of internal control was found in a 1905 publication entitled
Auditing by Lawrence Dicksee, an English audit specialist. In his study, originally
published in 1892, Dicksee does not mention the term internal control itself, but
addresses internal control by explaining that the object and scope of an audit has
three parts to it: “the detection of fraud, technical errors, and errors in principle”.6
From approximately 1905 to 2004, Heier et al. (2005, p. 41) show that the debate and
definitions, interpretations and applications of internal control have emerged as a
reactive evolution. Often these changes of definitions, interpretations and applica-
tions happened as “a reaction to a major change in the economic situation of a
country as a whole or to the actions of individual firms within the economy”.7
Most recent and prominent examples of such events and their reaction are a
series of company failures in the early 2000s associated with the scandals at Enron
and WorldCom.8 As a major legislative reaction, the US Congress introduced the
Sarbanes-Oxley Act of 2002 (SOX), which brought about a series of new require-
ments for domestic and foreign companies that are listed on US stock exchanges.9
3Maijoor (2000, p. 105). See also Power (1997).4For example, the Securities Act of 1933 addressed internal control and the audit process in the
following words: “In determining the scope of the audit necessary, appropriate consideration shall
be given to the adequacy of the system of internal check and internal control” (Early Regulation
SX Rule 2-02 (b) of the 1933 Act, quoted after Ferald Fernald (1943, p. 228). A later and broader
approach by the American Institute of Accountants (AIA) defined that “Internal control comprises
the plan of organization and all of the co-ordinate methods and measures adopted within a business
to safeguard its assets, check the accuracy and reliability of its accounting data, promote opera-
tional efficiency, and encourage adherence to prescribed managerial policies” (AIA 1948, quoted
after Heier et al. 2005, p. 48).5Brown (1962, p. 696).6Dicksee (1892, p. 6), quoted in Heier et al. (2005, p. 42).7Heier, Dugan, and Sayer discuss internal control in the context of auditing and its impact on audit
engagements.8For example, Brickey (2006), Rockness and Rockness (2005), Stewart (2006).9At that time, in the US regulation addressing internal control was limited in scope as the Foreign
Corrupt Practices Act of 1977 (FCPA) represented the only regulatory requirement for internal
control reporting. The purpose of SOX was to restore public confidence in the capital markets by
enhancing the reliability of financial reporting and the effectiveness of corporate governance by
addressing management’s responsibility for financial reporting as well as the scope and nature of
the audit (Ge and McVay 2005, p. 139).
16 2 Basics
With regard to internal control, a major and cost-intensive provision from SOX is
Section 404, which obliges management to assess and report on the effectiveness of
internal control over financial reporting.10 SOX is just one example of a reaction to
significant events. Heier, Dugan, and Sayer explain that the stock market crash of
1929, the economic boom after World War II, the revelation of bribery of several
100 US companies (including well-respected firms such as Exxon) in the aftermath
of the Watergate affair in the 1970s, and corporate failures at the beginning of the
1980s, are earlier examples of events that had an impact on internal control
regulation and interpretation. These events led either to more regulation and
mandatory disclosure of internal control aspects and/or to a broadening of the
interpretation of internal control in public policy documents.11 From these histori-
cal developments, a more focused view and a more comprehensive view on internal
control can be distinguished.12 The focused view sets internal control equal to the
“checks and balances” in accounting systems, while more recent approaches place
more emphasis on a more holistic approach to internal control, emphasizing
operational effectiveness and efficiency and compliance with laws, regulation,
and internal policies. Internal control is then an integrated part of organizational
governance. The focused and comprehensive view of internal control will be
discussed subsequently.
2.1.1.2 Focused View of Internal Control
A focused and traditional view of internal control (also referred to as accounting
controls13) is offered by Simons (1995, p. 84) as the “detailed, procedural checks and
balances”. They are designed to safeguard (tangible and intangible) assets from
10Coates (2007, p. 96) and Mintz (2005, p. 595). In Europe, the extraterritorial influence of SOX
was discussed and debated critically. In the European Union the Eight Directive addresses internal
control and risk management as well. As most European countries take a more principles-based
approach, the European approach is less detailed. In Switzerland, as a non-EU member, a new
regulation requires the auditor to prove the existence of the internal control system.11An early example of such a discussion on the broadness of internal control can be given with the
question whether administrative controls should be part of the audit or not. The American Institute
of Certified Public Accountant (AICPA 1958, pp. 66-67) states that “[administrative controls]
ordinarily relate only indirectly to the financial records and thus would not require evaluation”.
However, in the event these controls have “an important bearing on the reliability of financial
records”, then the auditor should consider including these controls in the assessment. Thus the
discussions in the 1950s are still accounting oriented but already were concerned about the
broadness of internal control. As will be discussed in this section, the debate about a broadening
of the interpretation of internal control will be continued later in the twenty-first century.12A similar distinction is taken by Jenal (2006, p. 3) who divides definitions on internal control into
a focused view (focusing only on financial reporting) and a comprehensive view (focusing on
operations, financial reporting and compliance).13Throughout this study the terms internal control, internal controls, and controls are treated as
synonyms.
2.1 Internal Control 17
misappropriation and ensure that accounting records and information systems are
reliable.14 According to Simons, these checks and balances concern three categories:
l Structural safeguards include an active audit committee of the board, an inde-
pendent internal audit function, segregation of duties, defined levels of authori-
zation, and restricted access to valuable assets.l Staff safeguards include adequate expertise and training for all accounting,
control, and internal audit staff, sufficient resources, and rotation of key jobs.l System safeguards include complete and accurate record keeping, adequate
documentation and audit trail, relevant and timely management reporting, and
restricted access to information systems and databases.15
Standing for the detailed procedures and safeguards for information handling,
transaction processing, and record keeping, internal control is critical in ensuring
that accounting records and information systems are reliable. Internal control relies
on “staff groups”, which design and execute controls, and on internal and external
auditors who assess periodically whether controls are reliable.16 Although the focused
view of internal control emphasizes the technical aspects such as databases, record
keeping, and segregation of duties, it is clear that these aspects of information handling
rely significantly on the effort of staff.17 That is why organizational culture is important
for internal control. Culture influences the common behaviors in an organization
and the efforts of each individual.18 However, this view of internal control is focused
because it limits the responsibility for internal control to the finance and auditing
area and places little emphasis on the fact that internal control is a part of operations
and compliance as well and is of concern to all people within an organization.
2.1.1.3 Comprehensive View of Internal Control
Business and accounting scandals in the 1980s challenged the adequacy of financial
reporting systems.19 To investigate the causes of fraudulent financial reporting and
make recommendations to reduce its likelihood, in 1985 the US established the
National Commission on Fraudulent Financial Reporting, known as the Treadway
Commission.20 The Commission’s recommendations led to a task force, which was
14See Kinney (2000a).15Simons (1995, pp. 84-85).16Simons (1995, pp. 85-86).17See Kinney (2000a), Pfaff and Ruud (2007), Pfaff et al. (2007), and Simons (1995).18See O’Reilly and Chatman (1996).19Ge and McVay (2005, p. 139). In the late 1980s the collapse of Bank of Credit and Commerce
International (BCCI) caused a financial panic spanning four continents and involved the Bank of
England (see Mintz 2005).20The Treadway Commission addressed internal control aspects such as the control environment,
code of conduct, audit committees, and internal audit. It also called for additional internal control
standards and guidance, and suggested that all listed companies should be required to include a
report on internal control in their annual reports (COSO 1992, p. 96).
18 2 Basics
built under the auspices of the Committee of Sponsoring Organization of the
Treadway Commission (COSO). This commission created the 1992 COSO-control
framework for the purpose of providing broadly accepted criteria for establishing,
monitoring, evaluating and reporting on internal control.21 COSO (1992, p. 3) takes
a comprehensive approach and defines internal control as:
a process, effected by an entity’s board of directors, management and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:
l Effectiveness and efficiency of operations.l Reliability of financial reporting.l Compliance with applicable laws and regulations.22
Kinney (2000b, p. 84) remarks that the COSO definition is widely accepted in
practice, as can be seen through the application of similar conceptual definitions
by other relevant groups around the world.23 For instance, the definition from the
Canadian Guidance on Control Board (CoCo)24 explains internal control as “all the
resources, processes, culture, structure, and tasks that, taken together, support people
in achieving those objectives”. Approaching the subject more broadly, the CoCo
definition explicitly mentions internal elements such as “internal reporting”, “infor-
mation within the organization”, and “internal policies” as part of internal control.
The Institute of Chartered Accountants in England and Wales (ICAEW)25 empha-
sizes the importance of responding to risk and, relevant to the focus of this study,
states that internal control has to do with “behaviors”. The European Federation of
Accountants (FEE) sets internal control in relation to governance and describes
internal control as going “beyond procedures” and includes “elements such as
corporate culture, systems, structure, policies and tasks”.26 Despite minor differ-
ences in accentuation, all these definitions support the COSO definition.
21COSO (1992, p. 97). The COSO framework is summarized in Sect. 3.2.2.22Emphasis added.23Pfaff and Ruud (2007, p. 19). A reason for this broad acceptance might be that there is generally
more awareness for the fact that internal control is more than finance and accounting, but is pervasive
throughout all areas of the organization. The COSO definition has a broad foundation in the US as the
TreadwayCommissionwas established as a collaborating sponsorship among the relevant institutions
in accounting, control and auditing, including the American Institute of Certified Public Accountants
(AICPA), American Accounting Association (AAA), Financial Executives International (FEI), The
Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA).24The Guidance on Control Board is associated with the Canadian Institute of Chartered Accoun-
tants (CICA) and issues the CoCo control framework (see CoCo 1995b and Sect. 3.2.3).25The internal control definition of the ICAEWis from theTurnbull report,which is part of theCombined
Code – A mandatory guideline for listed companies in the UK (see ICAEW 1999 and Sect. 3.2.4).26See FEE (2005). A more specialized group such as the Information Systems Audit and Control
Association, which provides the IT-governance-framework called COBIT (Control Objectives for
Information and Related Technology), offers a more technical interpretation and distinguishes
between preventive, detective and corrective control (see ISACA 2007). The Basle Committee on
Banking Supervision describes control as something that is “continually” going on at all levels in a
bank and also highlights the importance of an “appropriate culture”. BCBS is responsible for the
international banking regulation and is associated with the Bank of International Settlements (BIS)
and Basel II (see BCBS 1998).
2.1 Internal Control 19
This study applies the comprehensive view of internal control. The broad view
includes the focused view. Internal control safeguards assets and provides reason-
able assurance for information quality so that the organization can achieve its
objectives regarding effectiveness and efficiency of operations, reliability of inter-
nal and external reporting, and compliance with laws, regulations, and internal
policies. Internal control is effected by board, management, and other personnel,
“by what they do and what they say”.27 Figure 2.128 illustrates the three objective
categories operations, reporting and compliance of the comprehensive view of
internal control.
2.1.1.4 Specifying the Comprehensive View
This comprehensive view of internal control is seen as an integrated concept within
organizational governance. The OECD (2004, p. 11) defines organizational (corpo-
rate) governance29 as:
a set of relationships between a company’s management, its board, its shareholders and
other stakeholders. Corporate governance also provides the structure through which the
objectives of the company are set, and the means of attaining those objectives andmonitoring performance are determined. Good corporate governance should provide
proper incentives for the board and management to pursue objectives that are in the
interests of the company and its shareholders and should facilitate effective monitoring.30
As the definition from the OECD illustrates, compared to internal control, gover-
nance puts a stronger emphasis on the discrepancies between the interests of
27COSO (1992, p. 14).28The figure is based on the COSO categories, complemented with CoCo’s “internal reporting”
and “internal policies”.29The OECD uses the term corporate governance (instead organizational governance). Organiza-
tional governance is broader than corporate governance as it can include any type of organization
and not only corporations.30Emphasis added.
Objective categories
ReportingOperations Compliance
• Effectiveness
• Efficiency
• Internal reliability
• External reliability
• Internal policies
• Law and regulations
Fig. 2.1 Objective categories
20 2 Basics
organizational in- and outsiders.31 The primary interest is on whether board and top
management work in alignment with the interests of shareholders and other stake-
holders. The OECD definition contains the words: “means of attaining those
objectives”, which is in alignment with the definition of internal control.32 There-
fore, one interface between governance and control is the objective setting process.
While organizational governance “provides the structure through which the objec-
tives of the company are set”,33 internal control represents the means to achieve the
organization’s objectives.
Pfaff and Ruud (2007, p. 21) clarify that internal control consists of a series of
actions that are integrated with business activities and conducted throughout the
organizational units and functions. As illustrated in Fig. 2.2, Porter (1985, p. 46)
divides business activities into primary activities that generate value, such as
inbound logistics, operations, and sales, and secondary activities, such as human
resource management, infrastructure and procurement, which support the primary
activities.34 Operations, reporting, and compliance aspects are integrated within all
31Organizational governance roots in the separation of ownership from control. According to Berle
and Means (1932, p. 6), this separation leads to a condition in which the interests of owner and
managers “may, and often do, diverge, and where many of the checks which formerly [in the single
entrepreneurship] operated to limit the use of power disappear”. In general, the literature analyzes
this separation with the agency-theory. The owner (principal) delegates ‘control’ to management
(agent). This relationship between principal and agent is characterized through asymmetric
information. Management, as organizational insider, has a better understanding and in-depth
knowledge than the owners as organizational outsiders (Ruud 2003, p. 82).32Because governance explicitly includes external parties such as shareholders and stakeholders
but also mentions all means of attaining the organizational objectives (which represents in-
ternal control), the argumentation here is that governance is broader defined than internal
control. Effective internal control can be understood as contributing to effective organizational
governance.33OECD (2004, p. 11).34While the illustrated structure of the value chain of a manufacturing company represents only
one possible example, each individual company has its own definition of the value chain. Internal
control is pervasive throughout any organization’s primary and secondary activities and is
inherently affected by the way management runs the business (Pfaff and Ruud, 2007, p. 21;
Ruud, 2003, p. 78).
Inboundlogistics
OperationsOutboundlogistics
Marketing& sales
Prim
ary
activ
ities
Seco
ndar
yac
tiviti
es
CustomersSuppliers
Customerservices
Firm infrastructure
Human ressource management
Technology development
Procurement
Fig. 2.2 The value chain of a manufacturing company.
Source: Adapted from Porter (1985, p. 46)
2.1 Internal Control 21
these primary and secondary activities. Thus, according to the comprehensive view,
internal control is not just part of finance and accounting, but of any other activity
such as marketing and sales, logistics and technology development. The compre-
hensive view supports that internal control is not an exclusive function of board,
executives, senior finance managers or internal and external auditors, but of all
people in the organization.35 Depending on the hierarchical level of the person and
the size of the organization, the responsibility for internal control varies from
function to function.36 COSO (1992, p. 89) writes:
[. . .] virtually all employees play some role in effecting control. They may produce
information used in the internal control system – for example, inventory records, work-
in-process data, sales or expenses reports – or take other actions needed to effect control.
These actions may include performing reconciliations, following up on exception reports,
performing physical inspections or investigating reasons for cost variances or other perfor-
mance indicators. The care with which those activities are performed directly affects the
effectiveness of the internal control system.
Internal control is more than fulfilling required manuals and forms. Equally as
important, it is also about how people conduct internal control – how they design,
implement, maintain and monitor control as part of their day-to-day activities.
That is why organizational culture is important for internal control. As will be
discussed later, organizational culture represents the common understanding
among organizational members how controls need to be performed in an organi-
zational setting.
To further clarify the role of internal control and the focus of this study, in the
next section the definition will be integrated with strategic control and management
control.37 These research areas are closely related to internal control and their
literatures will be partially included in the further course of the study.
2.1.2 Management Decision Processes
While internal control provides information quality for any decision maker in the
organization, particularly influential for the achievement of the organizational
objectives are management decision processes. Kinney (2000b, p. 83), envisioning
himself as the CEO of a multinational corporation, asks:
Howwould I know whether I was getting the right information for decision making, that my
assets were being protected, and that my people were complying with laws, regulations, and
company policy – all on a worldwide basis?
35CoCo (1995b, p. 6).36CoCo (1995a, p. 7).37Although internal control has a fundamental role for any business, in the literature relatively
little attention is spent on integrating internal control with strategic control and management
control (exceptions are Kinney 2000a; Merchant and Otley 2007; Simons 2000).
22 2 Basics
One important contribution to the solution to this question is internal control.
Figure 2.338 illustrates the relationship between management decision processes
and internal control.39 As the figure demonstrates, internal control (illustrated in the
center) has several inputs, such as information from transactions with customers,
workers, and suppliers such as sales, payroll, and contracts (on the upper right),
other events and conditions such as a new regulation or a natural catastrophe (at the
lower right), other internal information (at the bottom) as well as information based
on management decisions such as plans and authorizations (at the left).40 Internal
control prepares all this information for management decision processes and
impacts the decisions made by management.41 People’s ability to fulfill their
responsibility and make adequate decisions relies significantly on the quality of
the information they receive.42 In contrast, an organization can easily go in the
wrong direction if the information people receive is incomplete, incorrect or
manipulated.43 Effective internal control provides people in the organization with
appropriate, timely, accurate and accessible information.
Hence, information content is necessary, provided when required, includes the
latest information available, and is correct and easily accessible by the appropriate
Plans
Authorizations
Internalcontrol
Managementdecision
processes*
Customers,workers,suppliers
Other eventsand
conditions
Organization
Feedback for
follow-up
Other information
Transactions
information
*Strategic and operating planning and follow-up of exceptions
Fig. 2.3 Management decision processes and internal control.
Source: Adopted from Kinney (2000b, p. 85)
38Kinney’s figure illustrates ‘workers’ outside the firm, which can be debated from COSO’s perspec-
tive. In the COSO definition, ‘personnel’ are the one that effect internal control and are therefore part
of the firm. Assuming that the term ‘workers’ represents the private person providing an economic
exchange in form of workforce against payroll, this illustration sees workers outside the firm.39CoCo (1995b, p. 11).40Ulrich (2001, p. 250).41Kinney (2000b, p. 85).42COSO (1992, p. 6). Sunder (1997, p. 56) emphasizes that management depends on the informa-
tion people share within the organization. It is the people’s own decision which information they
are willing to share and how accurately and truthfully they share it.43Ulrich (2001, p. 249).
2.1 Internal Control 23
party and location.44 Internal control contributes to decision-making by providing
information for both the normal course of business as well as when there are
operational issues, noncompliance with standards or other violations of policy
and illegal actions.45
2.1.2.1 Control in General versus Control Systems
While control in general can mean anything from formal to informal control mecha-
nisms, control systems stand usually for the “formal, information-based routines and
procedures managers use to maintain or alter patterns in organizational activities”.46
Thus, when speaking of the internal control system, the formal mechanisms of checks
and balances are understood. In contrast, when addressing internal control in general,
formal and informal activities are included. For example, while an IT-based restric-
tion of access to organizational assets is part of the internal control system, aninformal discussion between a line manager and a hiring manager about the require-
ments for a job opening is part of internal control, but not part of the internal control
system (as long as the discussion does not follow a prescribed formal procedure and
will enter in a database). Similar distinctions can be made for strategic control and
strategic control systems, and management control and management control systems.
2.1.2.2 Integration with Strategic Control and Management Control
Figure 2.4 illustrates the relationship between strategic control, management con-
trol and internal control. As the foundation of all other control systems, internal
control is illustrated at the bottom of the figure.47 Internal control provides reason-
able assurance that information on which any system in the organization builds is
44COSO (1992, p. 62).45COSO (1992, p. 87) and Kinney (2000b, p. 84).46Simons (1995, p. 5).47For example, Simons (2000).
Internal control
Strategic control Management control
External focus Internal focus
Managementdecisionprocesses
Information qualityassurance andprotection of assets systems
systemssystems
Fig. 2.4 Interrelation of strategic control, management control and internal control.
Source: Adapted from Simons (1995, p. 128)
24 2 Basics
reliable and that assets are being protected. The information quality provided by
internal control enters into strategic and management control systems and builds the
foundation for any formal and informal strategic and management control decision. As
indicated with the gray arrows in Fig. 2.4, internal control, management control and
strategic control interrelate.48 Aspects of internal control are similarly discussed in
strategic and management control, however, the focus differs. While internal control
provides reasonable assurance for information quality and safeguarding assets, CoCo
(1995b, p. 5) clarifies that internal control “cannot prevent the taking of strategic and
operational decisions that are, in retrospect, incorrect”. Whether management decides
to act and what actions to take are outside of internal control.49 Management decision-
processes are part of strategic control and management control. Merchant and Van der
Stede (2007, p. 7) explain that issues of strategic control:
have a focus primarily external to the organization; they examine the industry and their
organization’s place in it. They think about how the organization, with its particular
combination of strengths, weaknesses, opportunities, and limitations, can compete with
other firms in its industry.50
Board and management decide on the mission, vision and value statements, as well
as the overall objectives of the organization. Based on evaluations of the organiza-
tion’s strengths, weaknesses, opportunities and threats, board and management
further decide on the overall strategy and performance goals to achieve the overall
objectives.51 In contrast to strategic control which is primarily concerned about
strategic decisions, management control takes an internal focus. Of concern is
primarily how organizational resources can be used so that people work toward
organizational objectives. An often quoted definition is the one from Anthony
(1965, p. 17), who defines management control as:
the process by which managers ensure that resources are obtained and used effectively and
efficiently in the accomplishment of the organization’s objectives.52
Management uses tools including “short and long range plans, financial budgets,
capital budgets, variance analyses and project reporting systems” in order to decide
48Similar to the internal control literature, the management control literature traditionally focused
on accounting information and often separated from operational and strategic control. However,
recent developments in the management control literature recognize that such a focus neglects
impacts on management control from strategy and operations. Otley (1999, p. 364) remarks:
“Although it may well have been sensible to concentrate initially on the core area of ‘management
control’, it is now necessary to pay more attention to the neglected elements of strategy and
operations”.49CoCo (1995b, p. 11). Internal control supports the achievement of organizational objectives.
Therefore it is not an end in itself, but a means to an end (Pfaff and Ruud 2007, p. 22).50Emphasis added.51Ruud (2003, p. 75).52An alternative definition provides Otley (1999, p. 364) who states that management control
systems “provide information that is intended to be useful to managers in performing their jobs and
to assist organizations in developing and maintaining viable patterns of behavior”. This view from
Otley on management control integrates internal control and gives little room for making a
distinction between internal control and management control.
2.1 Internal Control 25
on objectives.53 Management control is typically described as “a feedback process
of planning, objective setting, monitoring, feedback and corrective action to ensure
that outcomes are in accordance with plans”.54
In summary, whether strategic control or management control,55 both types of
control rely fundamentally on control systems that are based on reliable information
produced by effective internal control. Internal control provides decision makers in
the organization with reliable information so they are able to choose among
alternatives which are best for the achievement of organizational objectives.
2.1.3 Internal Control Effectiveness
The importance of internal control is most visible and prominent in cases when
internal control is ineffective. How much do tools such as a Balanced Scorecard
(BSC), Key Performance Indicators (KPI), and Customer Satisfaction Surveys
help management in achieving the organizational objectives56 if those tools are
based on inaccurate or manipulated information? How much can external parties
rely on financial reports for their investment decisions if these reports do not
reflect the real economic conditions of the organization? What use do codes of
business conduct have if organizational members confirm its content only as a
formality to please regulatory requirements rather than actually act in consistency
with these codes? These are questions that reflect the purpose of this study and
ask what the role of organizational culture is for internal control. Before turning
toward finding answers to these questions later in this study, this section dis-
cusses under what conditions internal control is effective and, if so, what benefits
it provides.
2.1.3.1 When is Internal Control Effective?
Internal control is inherently complex and consists of many activities across, up
and down, and inside and outside the organization. Defining control effectiveness
provides the reference that organizations aspire to when they intend to achieve all
the benefits of internal control. Contrary to the internal control process itself,
which is a means to an end, effectiveness is a state or point in time.57 Whether
internal control is effective depends on a subjective judgment of how the
53Simons (1990, p. 135).54Simons (1990, p. 130).55Merchant and Van der Stede (2007, p. 7).56See Kaplan and Norton (1992).57COSO (1992, p. 20).
26 2 Basics
objective categories of internal control are implemented. Broadly defined internal
control is effective, when board and management have reasonable assurance that:
l They know if and to what extent operational effectiveness and efficiency are
achieved. While operational effectiveness focuses on output of operations,
efficiency sets the priority on input, the use of resources and its costs. Aside
from when organizations set different priorities on the balance between opera-
tional effectiveness and efficiency,58 what is important is that management has a
clear understanding to what extent they are attained. For instance, are stream-
lined and centralized processes implemented? Do the operational processes
work in a cost-efficient manner?l Published financial statements and internal reporting are prepared reliably.59
Reliability requires that the measurement methods are carefully applied and that
the displayed portrayal in reporting reflects the results correctly.60 For example,
do the numbers reflect the performance of the organization? Does internal report-
ing provide the right overview of inventory and assortment?l Applicable laws, regulations, and internal rules are complied with.61 Compli-
ance is reached when records meet the external regulatory requirements such as
production standards, accounting standards, tax requirements and further legal
requirements, as well as internal policies.62 Are the legal requirements of each
country that the organization operates in being followed? Is the code of conduct
implemented throughout the whole organization?
Merchant (1985, p. 10) writes that “good” internal control is said to be in place
when “an informed person can be reasonably confident that no major unpleasant
surprises will occur”. Thus, the information provided by internal control supports
people in optimizing the trade-off between risk and expected reward in decision-
making. It helps people’s decisions in addressing risks and taking appropriate
actions63 so that the remaining (uncontrolled) risks are deemed acceptable. CoCo
(1995b, p. 2) explains that control includes the identification and mitigation of risks
and includes not only known risks related to the achievement of a specific objective
but also that the organization is able to address its opportunities. Knowing that risks
are adequately managed and controls are installed, internal control provides confi-
dence. Senior-level people feel more confident when signing off reports and
employees in general are more confident in their judgments.64 Moreover, effective
internal control addresses the organization’s risk of fraud. It safeguards assets from
theft and prevents distorted results.65 Effective internal control is important to the
58Ibid.59Ibid.60Kinney (2000a, p. 33, 62).61See CoCo (1995b) and COSO (1992).62Kinney (2000a, p. 33, 62).63Kinney (2000b, p. 84).64CoCo (1995b, p. 1). See also Ruud and Sommer (2006).65CoCo (1995b, p. 2).
2.1 Internal Control 27
outside as well. The accounting and financial reporting system66 represents a critical
information source for external decision makers and is the main instrument for
shareholders, as the owners of the organization, to have insight into the organiza-
tion’s earnings and financial conditions.67 Effective internal control provides reliable
information to external parties from investors to the public at large, and therefore
builds confidence in the capital markets based on the information available.68
2.1.3.2 Internal Control and Performance
A key question discussed in the literature and in practice is whether internal control
generates shareholder value.69 Because internal control is inherent in the organiza-
tion’s activities and part of the essence of the business, its inherent nature in
business activities already makes clear the direct link to performance. For example,
when operations become more effective and efficient because management takes
more emphasis on control design, it saves costs and brings about a positive impact
on performance. When the organization’s financial numbers are reliable and the
organization complies with regulations, it is also less likely to be involved in costly
lawsuits that negatively impact its reputation and performance. In contrast, there are
many control aspects where the link to performance seems less clear. For instance,
setting effective internal control equal to high formalization does not necessarily
guarantee a positive impact on performance.70 Instead it might bring an unneces-
sary cost burden. In general, management attention on internal control provides
effectiveness and efficiency of operations, reliability of reporting and compliance
with laws, regulations and internal policies.71 As a consequence of this manage-
ment attention on more effectiveness, internal control is likely to contribute to
performance but is not a performance driver itself.72
In sum, the term effectiveness is understood as an overall term that stands for a
well-functioning internal control including efficiency in operations, reliability in
66Information from financial reporting contains, for example, earning and financial condition
measures, periodic disclosures of off-balance items, such as certain types of leases, and transac-
tions with parties related to management or the organization itself (Kinney 2000a, p. 37).67Kinney (2000a, p. 37).68CoCo (1995b, p. 1). Reliability is understood as central aspect towards the outside. Other
aspects, such as giving the organization direction and assurance, which is important for share-
holders and other groups, are considered part of reliability here.69These aspects are discussed in regard to Sarbanes-Oxley requirements (for example, Rittenberg
and Miller 2005; Zang 2005), but also in regard to more general organizational design (for
example, Burton et al. 2006; Simons 2005).70See also the Sarbanes-Oxley debate: Ashbaugh-Skaife et al. (2007), Coates (2007), Doyle et al.
(2007), Ge and McVay (2005), Leone (2007), Rittenberg and Miller (2005), Ruud and Pfister
(2006), and Zang (2005).71See Rittenberg and Miller (2005).72See Simons (2005).
28 2 Basics
reporting, and compliance with rules.73 If organizational culture contributes to
internal control, it needs to support the achievements of these three objective
categories. Defining effectiveness related to these three categories relies on a
subjective judgment by senior-level people. How can senior-level people decide
whether these objectives are achieved?
2.1.3.3 Inverse Relation to Control Deficiencies
Reasonable assurance is given when internal control is without any material weak-
nesses. This criterion is adapted from the Sarbanes-Oxley requirements, which
address SEC listed companies. While the Sarbanes-Oxley requirements focus
internal control over financial reporting and potential misstatements in reporting,
this study applies them to the other objectives of internal control as well. Adapted
from the SEC (2007) and PCAOB (2007), material weakness is then defined as a
deficiency – or a combination of deficiencies – in internal control, such that there is
a reasonable possibility that a material ineffectiveness and inefficiency in opera-
tions, a misstatement in reporting, or noncompliance with internal or external rules
will not be prevented or detected on a timely basis.74 PCAOB (2007) defines that a
material weakness is the most severe type of control deficiencies. A control
deficiency can be based either on the design of a control or its operation:
l A deficiency in design exists when (a) a control necessary to meet the control
objective is missing or (b) an existing control is not properly designed so that,
even if the control operates as designed, the control objective would not be
met.75
l A deficiency in operation exists when a properly designed control does not
operate as designed, or when the person performing the control does not possess
the necessary authority or competence to perform the control effectively.76
This interpretation of control effectiveness means that it is inversely related to the
amount of deficiencies that exist in the organization: The fewer deficiencies internal
control has, the more effective it is. An ideal internal control would have no
deficiencies and all control would be optimally designed and executed as intended.
Taking this stand means that if organizational culture can contribute to control
effectiveness, then it must reduce the likelihood of deficiencies in internal control.
73The term ‘effective internal control’ can also be used more specifically. For instance, it can stand
for operations that are effective (but not necessarily efficient) or the term can be used to explain
financial controls are reliable (e.g., in Sarbanes-Oxley context).74This definition of material weaknesses in internal control is adapted from the definition of
PCAOB Auditing Standard No. 5, which defines a material weakness as “a deficiency, or a
combination of deficiencies, in internal control over financial reporting, such that there is a
reasonable possibility that a material misstatement of the company’s annual or interim financial
statements will not be prevented or detected on a timely basis” (PCAOB 2007, p. 43).75PCAOB (2007, p. 41; emphasis added).76PCAOB (2007, p. 41; emphasis added).
2.1 Internal Control 29
Defining control effectiveness inversely related to the aggregated amount of control
deficiencies leads to the question about the roots of control deficiencies.
2.1.4 Inherent Limitations
It is important to note that no matter how well internal control is designed it can
only provide reasonable – not absolute – assurance. Two inherent limitations of
internal control make it likely that the organization will not achieve its objectives.
People in charge:
l Can make errors and omissions, or commit fraudl Have to consider relative cost and benefit when designing and executing internal
control
These two inherent limitations make it clear that even well-designed internal
controls will retain some residual risks of the unexpected because outcome is not
predictable.77 Moreover, the limitations build a bridge to culture. For example, if
people work lazy, inaccurate, or commit fraud is often founded in the culture.
Likewise, whether management places value on detail-orientation and costly con-
trols or takes a more pragmatic approach is similarly rooted in the culture of the
organization.78 Hence, the two inherent limitations of internal control are of
importance for this study and are briefly introduced here.
2.1.4.1 Limitation 1: Errors, Omissions, and Fraud
In reality, people can be at fault in their judgment when making decisions and
breakdowns can occur simply because of errors and mistakes. For instance, people
must make decisions under business pressure, on time and with the information
available at hand. These decisions can turn out to be incorrect at a later stage, and
may need to be changed or corrected.79 Risk assessments can be performed
improperly by ignoring or misevaluating certain risks that affect the organization’s
ability to achieve its objectives. COSO (1992, p. 80) gives many more examples of
what can go wrong even if controls are designed well:
Personnel may misunderstand instructions. They may make judgment mistakes. Or they
may commit errors due to carelessness, distraction or fatigue. An accounting department
supervisor responsible for investigating exceptions might simply forget or fail to pursue the
investigation far enough to be able to make appropriate corrections. Temporary personnel
executing control duties for vacationing or sick employees might not perform correctly.
77COSO (1992, p. 15); Pfaff and Ruud (2007, p. 23).78For example, CoCo (1995b, 2006b) and COSO (1992, 2004, 2006).79COSO (1992, p. 80).
30 2 Basics
System changes may be implemented before personnel have been trained to react appro-
priately to signs of incorrect functioning.
Besides intended or unintended failures of personnel,80 management can override
controls and not follow policies and procedures for reasons of personal gain or to
hide the real financial condition of the organization.81 Besides individuals who
cause control issues, two or more people can circumvent controls by collusion. An
action can be perpetrated or concealed from detection through the collaboration of
an employee responsible for an important control function and another employee,
customer or supplier. Internal control contributes to minimize all of these human
errors and failures but cannot warrant absolute assurance that these types of failures
will not occur.82 These examples illustrate the importance of management integrity,
and of employees who work in the best interests of the organization, which are
typical cultural aspects.
2.1.4.2 Limitation 2: Cost Benefit Trade-off
The second limitation relies on the inherent complexity of internal control, and the
fact that it is not always directly observable and verifiable.83 When designing
control, management must consider the relative costs and benefits of specific
controls.84 Figure 2.5 illustrates that total costs rely on decision errors costs, asset
loss, residual risks, and on the amount of resources spent for internal control.85 The
figure illustrates that optimal total costs are achieved when operating costs for
internal control are balanced with decision error cost, asset loss, and residual risks.
As the “quality optimum” indicates, when designing control, management is
challenged to balance costs and quality.86 The graph demonstrates that high for-
malization of internal control is cost-intensive, causes inflexibilities, and still incurs
some residual risks (see right side of Fig. 2.2). Even within well-designed control
80CoCo (1995b, p. 3).81COSO (1992, p. 80) describes many other reasons that cause top management or division
managers to override controls. For example, they want “to increase reported revenue, to cover
an unanticipated decrease in market share, to enhance reported earnings to meet unrealistic
budgets, to boost the market value of the entity prior to a public offering sale, to meet sales or
earnings projections to bolster bonus pay-outs tied to performance, to appear to cover violations of
debt covenants or debt covenant agreements, or to hide lack of compliance with legal require-
ments. Override practices include deliberate misrepresentations to bankers, lawyers, accountants,
and vendors, and intentionally issuing false documents such as purchase orders and sales
invoices”. Management override is a typical aspect which demonstrates the overlap between
internal control and management control.82See Pfaff and Ruud (2007).83Kinney (2000b, p. 84).84COSO (1992, p. 79).85Kinney (2000a, p. 91).86CoCo (1995b, p. 3, 20).
2.1 Internal Control 31
systems, some residual risks will remain because the outcome is not predictable.
The ability to invest in adequate internal control requires both financial resources
and time, and varies depending on the organization’s financial capacity.87 For
example, a poorly performing organization may simply be concerned with staying
in business and therefore establish a “cost-savings” culture, which will not spend
much on controls. Ge and McVay (2005, p. 151) explain: “poor performing firms
may be undertaking actions, such as downsizing, which could create holes in their
existing internal controls”. On the other hand, an overemphasis on formal controls
does not guarantee a much better control quality. This limitation brings into
question how much formalism is needed for effective internal control, and also
on what role organizational culture plays in these cost-benefit decisions.88
Errors, omissions and fraud, and cost-benefit trade-offs in control design and
execution represent major reasons why internal control can only provide reasonable
assurance, not absolute. Examples such as Lehman Brothers, Siemens, UBS, Enron
andWorldCom demonstrate that the “cultural forces underneath” are part of control
as well. In the management control literature, it is a well-accepted fact that manage-
ment accounting and control systems need to be analyzed in the broader context.89
Cost/Year
Totalcost
minimum
Decision error cost,asset loss, and residual risks
Total cost
Internal controloperating cost
Quality optimumInternal control quality
Fig. 2.5 Cost and benefit of internal control.
Source: Adapted from Kinney (2000a, p. 91)
87Krishnan (2005, p. 652).88Of particular importance for these cost-benefit discussions are mandatory regulatory require-
ments. Regulatory requirements for internal control (e.g., Sarbanes-Oxley Section 404) set mini-
mum standards for how an organization must formalize its internal control and therefore impact
the cost-benefit trade-off within organizations. The more these formal regulatory requirements are
prescribed, the higher the minimum costs for internal control will be. As a consequence, regulation
can have an important impact on internal control design and raise competitive disadvantages for
organizations that would be able to design and executive effective controls also in a more informal
manner than law requires.89For example, Dent (1991) and Hopwood (1978, 1983).
32 2 Basics
Thus, to take an effective approach, control needs to be studied in its broad (informal
and formal) context. A specific control might be a formal system in one organization,
while in another company the same control might rely on less formalism.90 Impor-
tant is that the necessary controls are there (formally or informally) and that the
whole control approach works effectively together. Culture makes it possible that
the informal aspects (e.g., leadership, trust, values, and social norms) become part of
the analysis. Taking this stance, culture provides the adequate foundation for
analyzing internal control.
2.2 Organizational Culture
2.2.1 Definition
Many types of culture exist – national culture such as French culture, ethnic culture
such as Islamic culture, regional culture such as Scandinavian culture, and more
localized cultures such as the culture of a city, a specific neighborhood, or an
institution.91 Just as culture can refer to a nation or a region, it can also refer to
an institution such as an organization.92 Organization theory defines “organization”
in two ways. In a general sense “organization” is understood as a task or coordina-
tion of activities,93 while in a more specific way the term addresses the formal
institution as a social entity. The literature describes these social entities as “large
bureaucracies”94 and “complex structures-in-motion”.95 This formal entity, which
reflects the social structures established by organizational members, is the type of
organization this study refers to.
Professionals and academics often talk about establishing the “right” culture – a
culture that promotes “effectiveness”, an “ethical culture”, or a culture with the
“right values”. Organizational culture, then – assuming it is the right one –
contributes to organizational performance because it is aligned with the organiza-
tional objectives and purpose.96 For example, Microsoft emphasizes in its value
statement a “passion for technology”. Charles Schwab, a financial institution, sets
“ethical financial services” and “earning customers’ trust” as their priorities.97
90See Collier (2005) and Simons (2005).91Keyton (2005, p. 18).92Harris (1990, p. 741).93See Mintzberg (1979) and Thompson (1967).94Perrow (1986, p. 725, 1991).95Clegg (1981, p. 545).96For studies investigating culture and performance see Kotter and Heskett (1992), Siehl and
Martin (1990), and Sørensen (2002).97See www.microsoft.com and www.schwab.com.
2.2 Organizational Culture 33
These different cultural emphases make sense because the two organizations have
different purposes and operate in different industries. Microsoft needs to have a
culture in which people are passionate for technology in order to survive in a
dynamic market, whereas Charles Schwab’s success depends on people that en-
hance stability and the trust of its clients. Thus, not just any culture, but the “right”
culture, supports the organizational objectives and purpose, and contributes to
organizational performance.98
Before linking control and culture in the literature review in Chap. 3, this
subchapter provides a holistic interpretation of organizational culture. Because
culture is not always directly observable,99 defining it is challenging. This challenge
has led researchers to produce a variety of different interpretations. This subchapter
will showcase the range of definitions, will develop a two-layered interpretation of
culture in order to provide the setup for the further course of study, and will discuss
discrepancies among approaches. This is necessary in order to understand the main
part in which a framework is provided that captures how culture can be influenced
so that controls are effective.100
2.2.1.1 Variety of Interpretations for Culture
Organizational culture has awakened the interest of many researchers from differ-
ent areas, producing many ways of explaining the topic.101 To name a few, Schein
(2004) explains organizational culture through leadership; Deal and Kennedy
(1982) focus on the amount of risk employed; and Harrison (1972) considers the
extent of formalization and centralization within the organization. Besides these
alternate ways of treating organizational culture, another discussion in the literature
is the status organizational culture holds and how it relates to other organizational
forms. For instance, Weik (2001, p. 354) writes that organizational culture and
strategy partially overlap, while Hofstede et al. (1990, p. 286) gives culture a status
similar to structure, strategy, and control.102 This study adds to this discussion by
linking internal control and organizational culture.
98Schein (2004, p. 7).99See Keyton (2005).100In order to meet the focus of this study, this subchapter focuses on defining organizational
culture and does not discuss specific aspects such as the influence of leadership on culture or the
relation between culture and climate.101Hofstede et al. (1990, p. 286).102If not more clearly specified, in the proceeding of this study, the terms ‘culture’, ‘corporate
culture’ and ‘organizational culture’ are all used to explain the cultural phenomena related to an
organization.
34 2 Basics
Table 2.1103 provides a collection of interpretations which illustrate ways that
culture is defined, interpreted and analyzed.104 Due to the fact that culture is not
entirely observable and describable,105 the overview shows that many different
interpretations have been developed. Each of these definitions referenced in the
figure can be applied to culture. Synthesizing the various definitions from the figure,
four characteristics of culture can be identified. Culture is:
l About shared understandings among group membersl About group member’s interactionsl Implicit (and explicit)l Is based on history and tradition.
Table 2.1 Categories used to explain culture
Definition Description
Observed behavioral regularities
when people interact
The language they use, the customs and traditions that
evolve, and the rituals they employ in a wide variety of
situations
Group norms The implicit standards and values that evolve in working
groups, such as the particular norm of “a fair day’s work
for a fair day’s pay” that evolved among workers in the
Bank Wiring Room in the Hawthorne studies
Espoused values The articulated, publicly announced principles and values
that the group claims to be trying to achieve, such as
product quality or price leadership
Formal philosophy The broad policies and ideological principles that guide a
group’s actions toward stockholders, employees,
customers, and other stakeholders, such as the highly
publicized “HP Way” of Hewlett-Packard
Rules of the game The implicit, unwritten rules for getting along in the
organization; “the ropes” that a newcomer must learn in
order to become an accepted member; “the way we do
things around here.”
Embedded skills The special competencies displayed by group members in
accomplishing certain tasks, the ability to make certain
things that gets passed on from generation to generation
without necessarily being articulated in writing
Habits of thinking, mental models,
and linguistic paradigms
The shared cognitive frames that guide the perceptions,
thought, and language used by the members of a group
and taught to new members in the early socialization
process
103Schein’s original figure was shortened. Also, authors that refer to the specific definitions were
removed here.104Although the focus here is on the organization, the concept of culture of any other instance is
true for the specific culture of an organization as well. Therefore any definition of culture (whether
referring to the organization or another reference) is included in this overview.105See Keyton (2005).
2.2 Organizational Culture 35
First, culture is defined as “behavioral regularities”, “ideological principles” or “the
way we do things around here”, which all reflect that culture is about shared
understandings. Culture is about a shared understanding of the principles that are
important for a group and the way actions should be performed. Thus, with regard
to internal control, organizational culture stands for the common understandings
within an organization how controls must be designed and executed. Second,
culture is defined as “the way in which members of the organization interact with
each other”. Hence, culture has to do with group members’ communications, which
is another link to internal control.106 Third, culture is “embedded” and “implicit”,
and relates to intangibles such as meanings, understandings and beliefs.107 In the
context of controls, this means that the existence of culture makes it possible to
analyze social controls and its relation to explicit formal control mechanisms.
Fourth, culture is based on history and tradition as it is “passed on from generation
to generation” and reflects “the customs and traditions that evolve”.108 History
links culture and control because both evolve over time. Together, these four
aspects of culture offer criteria to be met when developing a holistic definition
of culture.
2.2.1.2 Defining Organizational Culture
Combining the definitions from Schein (1990) and O’Reilly and Chatman (1996),
in this study organizational culture is defined as a pattern of basic assumptions that a
group has invented, discovered or developed in learning to cope with its problems
of external adaptation and internal integration,109 which is represented in a systemof shared values defining what is important, and norms, defining appropriate
attitudes and behaviors, that guide each individual’s attitudes and behaviors.110
This definition combines two common types of definitions on culture and empha-
sizes that an organization establishes its values and norms as a result of how the
106See Sect. 3.2.2.107Alvesson (2002, p. 6).108Bromann and Piwinger (1992) view culture in a timeframe and divide into what the cultural
reality is, and what the desired status of the culture should be. They also argue that older
organizations do not necessarily have “more culture”. Often in young companies team spirit and
entrepreneurial thinking can bring culture more clearly to the forefront than in an established
company.109Taking a dynamic view, Schein (1990, p. 111) defines organizational culture as “a pattern of
basic assumptions that a group has invented, discovered or developed in learning to cope with its
problems of external adaptation and internal integration, and that have worked well enough to beconsidered valid, and therefore, to be taught to new members as the correct way to perceive, think,
and feel in relation to those problems”.110Taking a static view, O’Reilly and Chatman’s (1996, p. 166) organizational culture is “a system
of shared values defining what is important, and norms, defining appropriate attitudes and
behaviors, that guide members’ attitudes and behaviors.”
36 2 Basics
organization has been reacting to important influences from the environment and
incidents in the present and past.111
Figure 2.6 illustrates how the two views of culture interrelate.112 The two arrows
indicating external adaptation and internal integration illustrate how culture refers
to the environment. Thus, starting with the environment, it is shown that culture
externally adapts and internally integrates as a continuous and interrelated pro-
cess.113 Toward the outside, the organizational culture must adapt continuously to
the external environment such as market, regulation and other factors that influence
the organization. At the same time, the organizational culture needs to integrate
internally and establish a common understanding of how things are going to be
done in the culture. While these processes build the intermediate elements within
the organization’s environment, the common understanding of how to adapt and
integrate is defined in the shared values and social norms among the organization’s
members. Representing the core and the more stable part, values and norms can be
seen as the social and normative glue that holds an organization together.114
Meeting the four requirements identified earlier in the chapter (shared understand-
ings, interactions, implicitness, and history), the approach taken in this study
Internalintegration
Externaladaptation
Environment
Shared valuesand social norms
Fig. 2.6 Combined view
111Lim (1995, p. 17) and Schein (1990, p. 111).112Traditionally, the concept of culture has been analyzed in anthropology. According to Kroeber
and Kluckhohn (1952, p.181), culture “consists in patterned ways of thinking, feeling and reacting,
acquired and transmitted mainly by symbols, constitute the distinctive achievements of human
groups, including their embodiments in artifacts; the essential core of culture consists of traditional
(i.e., historically derived and selected) ideas and especially their attached values” (emphasis
added).113Dent (1991, p. 709) writes that cultures “in organizations are not independent of their social
context. They are interpenetrated by wider systems of thought, interacting with other organizations
and social institutions, both importing and exporting values, beliefs and knowledge”.114See Collins and Porras (1996) and Tichy (1982).
2.2 Organizational Culture 37
represents a holistic definition of organizational culture. Following a two-layered
definition of organizational culture, the next two sections discuss the components of
the definition:
1. External adaptation and internal integration115
2. Shared values and social norms116
2.2.2 External Adaptation and Internal Integration
External adaptation and internal integration sees culture as the way an organization
deals with its changing environment.117 A culture can only be “effective” when it
addresses its environment in a way that supports the organizational long-term
performance. For instance, an international organization that operates in a short-
lived and competitive market will need a culture that can deal with innovation and
rapid change, while a small and locally operating organization in a more traditional
industry might be more successful with a conservative culture that builds on stable
products and customers. Hence, depending on the environmental characteristics, an
organization faces different factors and speeds of change which it must adapt to.
Organizational culture determines how organizational members build consensus on
how to face their environment. Adaptation and integration occur in parallel and are
of equal importance. The next two paragraphs discuss adaptation and integration in
more detail.
External adaptation concerns the way an organization, as a group of people,
deals with change – how it addresses risk and uncertainty, explores new possibi-
lities, and approaches new and challenging situations. It represents how organiza-
tional members reach consensus on mission, strategy, objectives, means to achieve
the objectives, their measurement, and corrections if necessary. Thus organizational
culture (as external adaptation) is about obtaining a shared understanding among
organizational members of the core mission, strategy and objectives. It is about how
consensus is reached regarding the means of attaining objectives such as organiza-
tional structure, responsibilities, rewards, and sanctions. Moreover, consensus
needs to be reached on the criteria to be applied in measuring how well the group
is doing in fulfilling its objectives. Schein (2004, p. 88) writes: “This step [of
external adaptation] also involves the cycle of obtaining information, getting that
information to the right place within the organization, and digesting it so that
appropriate corrective action can be taken”.118 Finally, consensus needs to be
reached on the correction to be used if objectives are not being achieved. In contrast
115Schein (1990, p. 111).116O’Reilly and Chatman (1996, p. 166).117Schein (2004, p. 8).118Schein’s quote shows how close organizational culture and internal control are. The quote
contains typical internal control matters such as discussed in the section on the benefits of internal
control.
38 2 Basics
to internal control, which is about the means to achieve organizational objectives in
general, external adaptation emphasizes reaching consensus about the means
among group members.119
Although the two processes are discussed in sequential order here, internal
integration occurs parallel to external adaptation.120 Internal integration deals
with how people form a group. Groups must develop clear assumptions about
what is and what is not accepted in the culture. They also need to establish a
common understanding of justice, regulation, norms and rules. To avoid false
expectations, they need to find a common means of communicating and giving
feedback. These integrative processes lead to solidarity among the group mem-
bers.121 Schein (2004, p. 133) describes that every group:
must learn how to become a group. The process is not automatic; in fact it is complex and
multifaceted. Humans, being what they are, must deal with a finite and describable set of
issues in any new group situation. At the most basic level they must develop a common
language and category system that clearly define what things mean. Formal languages do
not specify with enough precision what work, teamwork, respect, quality, and so on mean.
Groups must reach consensus on the boundaries of the group, who is in and who is not in.
They must develop consensus on how to distribute influence and power so that aggression
can be constructively channeled and formal status accurately determined.122
Internal integration means everything from defining what the group is and how the
group works to coordinating activities so that specialized contributions complement
each other and form the group as a whole.123 Schein’s quote demonstrates that
internal integration is about how a group of people organizes itself, what social
structures, hierarchies and relationships it creates, and also what behavior is
accepted in the group and what is not. In addition, groups need to find explanations
to deal with unpredictable and unexplainable events. In this sense, Schein (2004,
p. 133) compares a group’s culture as a functional equivalent to religion, mythology,
and ideology, which are all used to explain the unexplainable.
While external adaptation concerns the external environment, members develop
a common understanding of principles and behaviors inside the organization
through internal integration.
In sum, organizational culture, as discussed in this section, deals with how
organizational members reach consensus on adapting to the external environment
and how the organization internally integrates. In contrast to the values and norms,
which will be discussed shortly and take a more static view, the focus for adaptation
and integration is dynamic – dealing with how people form a social system that has
adequate internal stability to survive under changing conditions.
119Denison et al. (2006, p. 7).120Schein (2004, p. 109).121Meglino and Ravlin (1998, p. 357).122Emphasis added.123See Denison et al. (2006) and Meglino and Ravlin (1998, p. 7)
2.2 Organizational Culture 39
2.2.3 Shared Values and Social Norms
The core variables of culture are often described as shared values among members
of a group.124 In alignment with Schwartz and Bilsky (1990), Wiener (1988),
O’Reilly and Chatman (1996), and Van Rekom et al. (2006) this study takes the
position that values guide behavior.125 Rokeach (1973, p. 5) defines a value as an
“enduring belief that a specific mode of conduct or end-state of existence is
personally or socially preferable to an opposite or converse mode of conduct or
end-state of existence”. This definition emphasizes that values can relate to both the
action leading to an objective as well as the objective as end-state itself. The
definition from Rokeach corresponds to Schwartz and Bilsky’s observation (1987,
p. 551) who find that most of the value definitions have in common that “values are
concepts or beliefs, about desirable end states or behaviors, that transcend specific
situations, guide selection or evaluation of behavior and events, and are ordered by
relative importance”. Thus, values are ordered in a value system, which reflects the
relative priority of the importance of a value for a specific situation. Hence, what
reflect the culture are the values that are instilled in people’s day-to-day actions as a
result of the underlying value system. Michela and Burke (2000, p. 229) explain
that values are intertwined with norms:
With values, the desired behavior is expected to follow if the predisposing values are
instilled. With norms, getting the desired behaviors, by whatever means, creates conditions
in which people infer they are the right ones or, at least, the socially approved ones
(including when people are explicitly socialized to conform to the norms).
As this quote shows, while values lead to behavior when they are “instilled”, social
norms address what people in a group perceive as expected behavior (a conversion
from “is” to “ought”) and therefore sets expectations for behavioral standards in the
group.126 Values127 are a fundamental concept (having a “transcendental quality”),
and are deep-rooted and pervasive in nature.128 In contrast, social norms are about
social expectations.129 These social expectations are based on underlying values.
Therefore, as values interrelate with social norms, and the distinction between
values and norms may be fluent, this study focuses primarily on values, but also
124Wiener (1988, p. 534).125There are some scholars that deny this influence of values on behavior and say that values only
rarely influence behavior (for example, Kristiansen and Hotte 1989; McClelland 1985).126D’Andrade (1984, p. 229) and Michela and Burke (2000).127Values must be distinguished from other concepts such as opinions and attitudes. A value is
more general and less bound to any specific object as opposed to many attitudes and opinions,
which are situation-bound. Therefore a value can underlie numerous opinions and attitudes (Akaah
and Lund 1994, p. 418; England 1967, p. 54).128Rokeach (1973, p. 17).129O’Reilly et al. (1991, p. 492).
40 2 Basics
discusses them implicitly in their function as social norms.130 Social norms repre-
sent what people within a group typically do, and shared understandings among the
group members represent what people from the group are supposed to do.131 Fehr
and Fischbacher (2004, p. 63) interpret social norms as “normative standards of
behavior that are enforced by informal social sanctions” and explain social norms as
one of the distinguishing facets of human species. Thus, social norms define what
people ought to do as part of a common understanding in the group.132 In contrast to
the value which is instilled, social norms reflect the social expectations of behavior
in a group that is typically enforced by social sanctions.
In retrospect, two important points need to be mentioned here. First, to become a
driver for organizational effectiveness, values, and norms need to support organi-
zational goals and strategies.133 Thus, the mere fact that shared values exist does not
necessarily result in organizational success and task productivity. Values must
enhance behavior that is appropriate for task performance and survival of the
organization. Second, in the terminology of Schein’s dynamic definition, values
and norms must be adequate for both external adaptation and internal integration.
Values for internal integration may be different from those values required for
external adaptation. An organization can have high internal standards and apply
these effectively. For adapting to the outside, however, those values could bring
competitive disadvantage.134 Consequently, values and norms need to be appropri-
ate for the organization’s objectives both within the organization and toward the
outside.
2.2.4 Specifications
The broad definition of culture provides a holistic setup for analysis. As preparation
for the further analysis in Part III, two important discrepancies are discussed in this
section. First, the definition of organizational culture contains a dynamic and a
static perspective, which offer different insights. Second, culture can be addressed
from the perspective of different disciplines such as psychology, sociology or
anthropology. Each produces different insights into the topic as well. Thus, includ-
ing more than one viewpoint in this study is likely to bring different insights and as
a consequence a more comprehensive view of culture. Because variations in view-
points provide a breadth adequate to internal control, they are relevant for the
premise of this study.
130In accounting and control research social norms are often discussed in regard to incentive
systems (for example, Kunz and Pfaff 2002).131Michela and Burke (2000, p. 229).132See D’Andrade (1984).133Wiener (1988, p. 536).134Meglino and Ravlin (1998, p. 356).
2.2 Organizational Culture 41
2.2.4.1 Dynamic versus Static View
As the prior discussion on culture demonstrates, the conceptual spectrum of re-
search on organizational culture can be interpreted as operating along a continuum,
extending from dynamic to static approaches. On the one hand, culture is inter-
preted dynamically because it is seen as something “historically derived and
selected”. Culture is seen as a process, evolving with time, dynamic, and changing
in nature.135 On the other hand, research often interprets culture as more static,
based on values and norms (or similar variables). Culture is then viewed as static,
focusing on a specific point in time, relying on the idea that it is classifiable based
on two or more variables such as a set of values and norms.136 Because this static
view looks at culture as a variable that can be distinguished through one or two
variables, Alvesson (1989) uses the term “classification-oriented”. In contrast, he
uses “process-oriented” for the dynamic view because it portrays culture as a
process that adapts to the environment and integrates internally. In this study,
both views will be discussed similarly and referred to as the “dynamic” and the
“static” views on culture. Table 2.2 gives a summary of the two views.
Schein (2001, p. xxiv) describes the fact that culture can be conceptualized
dynamically as well as statically as a “chronic issue”. Obviously, different inter-
pretations can cause misunderstandings. They are not only different concepts but
also imply different methods of dealing with culture.137 Nevertheless, he concludes
that both meanings of culture have utility for theory building. Social phenomena
cannot really be understood “without understanding both the historical events and
the cultural meanings attributed to those events”.138 Supporting Schein’s argumen-
tation, the variety of definitions on culture is seen as an opportunity to investigate
different aspects of culture rather than as a conceptual dilemma. As will be
discussed in more detail later, this study applies both the static and the dynamic
view in order to produce a comprehensive understanding of culture.
Table 2.2 Dynamic versus static view on culture
Dynamic view Static view
Based on adaptation and integration Based on shared values and norms
Evolving and changing Stable
Process-oriented Classification-oriented
Source: Adapted from Schein (2004, pp. 12-13)
135Lim (1995, p. 17).136See Hampdon-Turner (1990).137While process-oriented approaches are often combined with theory-building and qualitative
studies (see Alvesson 2002; Schein 2004), classification approaches often relate to quantitative
studies in which culture is measured and related to specific organizational outcomes (see O’Reilly
et al. 1991; Sarros et al. 2005; Sørensen 2002).138Schein (2001, p. xxiv).
42 2 Basics
2.2.4.2 Organizational versus Individual Level
In the same way as the dynamic and static views reflect interests from varying
origins, different disciplines also address culture in different ways and, as a result,
produce different insights. This study divides these insights into two levels: the
organizational (sociological) and personal (psychological) levels.139 For instance,
how culture impacts the actions of an individual can be investigated based on a
psychological point of view. In contrast, how culture affects the interrelations of
people in a group or an organization is a possible sociological study.
Keyton (2005, p. 18), taking a sociological stance, points out that through
people’s interactions, a unique culture in the form of a social structure is formed
and is “continually reproduced by its members”. Keyton explains culture as some-
thing that is produced through a group of people (e.g., an organization) and
emphasizes that this group of people establishes autonomy based on social struc-
tures (e.g., a typical question of this type of research would be: what group
dynamics take place in performing controls?). In contrast, Hofstede (2001, p. 9),
defines culture as “the collective programming of the mind that distinguishes the
members of one group or category of people from another”. Hofstede considers
what is going on within people and explains culture as something that “programs
the mind”. The last definition makes clear that organizational culture affects each
individual participating in a cultural setting (e.g., what do people think when they
perform controls?).
As these two examples demonstrate, different levels such as organization and
individual turn out to deliver a different viewpoint and emphasis on culture, and
also promise to bring different qualities to their results. As a consequence, any
study of culture needs to clarify which level it addresses so that it can produce
valuable results. This study considers on the organizational and individual level as
well as on the dynamic and static view in order to link internal control and
organizational culture more holistically.140
2.3 Summary
This chapter has discussed the basics of internal control and organizational culture
to provide a common understanding of the two topics.
Internal control is a process, effected by all people within the organization, and
designed to provide reasonable assurance for the achievement of the objectives in
regard to effectiveness and efficiency of operations, reliability of internal and
external reporting, and compliance with applicable laws, regulations and internal
policies. Internal control primarily supports the achievement of these objectives by
providing decision-makers with information quality and by the safeguarding of
139These are common differentiations in interdisciplinary research.140See Chaps. 5–7.
2.3 Summary 43
organizational assets. Hence, internal control provides integrity for any control
system within the organization. Internal control is effective if senior-level people
have reasonable assurance that the three objective categories are achieved and that
internal control is free of any material weakness. Because within any control design
rests the risk of errors, omissions, and fraud, and relies always on a cost-benefit
trade-off, internal control can only provide a reasonable assurance for the achieve-
ment of objectives, not absolute.
As with internal control, many interpretations for organizational culture have
been developed. Extracting common patterns of definitions, culture is about shared
understandings of a group’s principles and actions, builds on members’ interaction,
and is implicit and historically derived. Based on these variations in interpretation,
the study developed a two-layered definition of organizational culture. Organiza-
tional culture is defined as the way in which members of a group cope with external
adaptation and internal integration, and how these processes of adaptation and
integration are reflected in shared values and social norms. This definition is
broad and covers a dynamic as well as a static view of culture. Moreover, this
broad definition makes it possible that culture can be analyzed on a more organiza-
tional (sociological) level and on a more individual (psychological) level in the
further course of study.
After having developed an understanding for internal control and organizational
culture here, the next chapter proceeds with a literature review to examine how the
two topics are related to each other in management accounting and control research.
44 2 Basics
http://www.springer.com/978-3-7908-2339-4
top related